Tag: firewall

  • How to whitelist a hostname in CSF firewall

    How to whitelist a hostname in CSF firewall

    Firewalls usually allow or block IP addresses. If you need to allow a hostname, you need to find the IP address and white list the IP address. If you use dynamic DNS services like noip, dyndns, the IP address of your hostname changes when your internet provider assigns you a new IP address.

    ConfigServer Security and Firewall (CSF) supports dynamic DNS. This feature can be used to whitelist normal hostnames too.

    To allow a hostname, login to your server using SSH.

    Edit file

    vi /etc/csf/csf.dyndns

    In this file, you can add your hostname to the whitelist.

    In the CSF config file, you need to make the following changes.

    vi /etc/csf/csf.conf

    Set value for DYNDNS

    DYNDNS = "600"

    This will tell the CSF firewall to check for the IP address of whitelisted hostnames every 10 minutes. You can change this as needed.

    DYNDNS_IGNORE = "1"

    By setting the value of DYNDNS_IGNORE to 1, the CSF firewall will never block these IP addresses even if there are failed login attempts or too many connections.

    restart lfd

    systemctl restart lfd

    Back to CSF Firewall

  • Install CSF firewall on Ubuntu Server

    Install CSF firewall on Ubuntu Server

    First, install libwww-perl package needed for CSF firewall

    apt -y install libwww-perl

    Install CSF with

    cd /usr/local/src
wget https://github.com/waytotheweb/scripts/raw/refs/heads/main/csf.tgz 
tar -xzf csf.tgz
cd csf
sh install.sh

    Change following settings in csf.conf file

    /bin/sed -i "s/RESTRICT_SYSLOG\s*=.*$/RESTRICT_SYSLOG = \"3\"/g" /etc/csf/csf.conf
/bin/sed -i "s/SYSLOG_CHECK\s*=.*$/SYSLOG_CHECK = \"3600\"/g" /etc/csf/csf.conf
/bin/sed -i "s/TESTING = \"1\"/TESTING = \"0\"/g" /etc/csf/csf.conf

    If you need GUI enabled, edit file

    vi /etc/csf/csf.conf

    Modify following settings

    UI = "1"
UI_PORT = "8282"
UI_USER = "username"
UI_PASS = "password"
UI_ALLOW = "0"
  • Whitelisting an IP Address in CSF Firewall

    Whitelisting an IP Address in CSF Firewall

    There are 3 ways to whitelist an IP address in ConfigServer Security & Firewall (csf). Whitelisting an IP address will allow the IP address to access all ports on the server including any closed ports. For example, you can block SSH port 22 on the server. Then add your IP address to the whitelist, now you will be able to access SSH from your IP address.

    Using WHM

    Login to WHM as user root. Then go to WHM > Plugins > ConfigServer Security & Firewall.

    whitelist IP in csf

    On the text box right side of the “Quick Allow” button, enter the IP address you need to whitelist. Then click on the “Quick Allow” button.

    The Quick Deny option below can be used to block an IP address from accessing the server.

    Quick Ignore allows you to ignore any IP address. This is the same as Quick ALlow. The difference is if you whitelist an IP address using the Quick Allow option and if the IP fails some ModSecurity rules or makes several failed logins, it gets blocked. If you ignored an IP address, it will never get blocked by ModSecurity or lfd.

    Using csf command

    If you are logged in to SSH or WHM > Terminal, you can run the following command to whitelist an IP address.

    csf -a IP_ADDR_HERE

    IP address can be a single IP address or IP range in CIDR format.

    To block an IP, use

    csf -d IP_ADDR_HERE

    Manually editing csf.allow

    To allow an IP or IP range (CIDR format), you can edit the file

    vi /etc/csf/csf.allow

    If you need to Ignore an IP address, then add IP to file

    vi /etc/csf/csf.ignore

    IPs added to csf.ignore will never get banned due to LDF or ModSecurity failures. Ips in csf.allow can be blocked by ModSecurity or lfd.

    Add your IP to the file. Then restart csf firewall.

    csf -r

    See csf

  • Firewalld

    firewall-cmd is used to manage firewall (iptables). It is used by default on latest version of CentOS, RHEL.

    Check firewall status

    To see if firewall is running of not use

    firewall-cmd --state

    or

    systemctl status firewalld

    To disable firewalls

    systemctl stop firewalld
systemctl disable firewalld

    Open a port in firewall

    To allow HTTP and HTTPS traffic, run

    firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone=public --add-port=25/tcp
firewall-cmd --reload

    Permanent option make the changes permanant. You need to reload firewall after using –permanent. If you want to open a port in current session and make it permanant, run the command with and with out –permanent.

    Open a port range in firewall

    firewall-cmd --zone=public --add-port=22-65535/tcp

    Close a port in firewall

    To close a port, you can use command same as you open with –add replaced with –remove.

    firewall-cmd --permanent --zone=public --remove-service http
firewall-cmd --permanent --zone=public --remove-port 25/tcp

    Whitelist an IP address

    firewall-cmd --zone=trusted --add-source=IP_ADDR_HERE

    To remove an IP, use

    firewall-cmd --zone=trusted --remove-source=IP_ADDR_HERE

    Firewalld Zones

    Zone is a collection of rules that can be applied to a specific interface. Some useful commands are

    firewall-cmd --get-active-zones
firewall-cmd --get-default-zone
firewall-cmd --list-all-zones
firewall-cmd --info-zone=public

    Zones are stored in /usr/lib/firewalld/zones

    Services

    Services are pre-made rules for a specific application. Some useful commands are

    firewall-cmd --get-services
firewall-cmd --info-service SERVICE_NAME_HERE

    Services are stoed in /usr/lib/firewalld/services/ or /etc/firewalld/services/

    On AlmaLinux 9, cpanel server used following service file

    https://gist.github.com/serverok/4433cbc84b90f41ddf60031896cf8475

    Save run time configuration into permanant

    firewall-cmd --runtime-to-permanent

    iptables

    See firewall

  • Firewalld list all open ports

    Firewalld list all open ports

    To list all open ports in firealld, run

    firewall-cmd --list-ports

    You may need to also use 

    [root@oc1 ~]# firewall-cmd --list-services
http https ssh
[root@oc1 ~]#

    Example

    firewalld list ports

    See firewalld

  • Firewalld list rules

    To list rules use command

    firewall-cmd --list-all --zone=public

    To list all open ports

    firewall-cmd --list-ports

    Example

    [root@centos7 zones]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.1.1.2/32" port protocol="tcp" port="1-65535" accept'
success
[root@centos7 zones]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 25/tcp 9090/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.1.1.2/32" port port="1-65535" protocol="tcp" accept
[root@centos7 zones]# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="10.1.1.2/32" port protocol="tcp" port="1-65535" accept'                                            
success
[root@centos7 zones]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 25/tcp 9090/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@centos7 zones]#

    See firewall-cmd

  • Install CSF Firewall

    For non cpanel server, install perl modules

    yum install -y perl perl-libwww-perl perl-Time-HiRes unzip bind-utils

    On Ubuntu

    apt-get install libwww-perl

    Once we have requirments installed, install csf with

    cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

    sed -i "s/RESTRICT_SYSLOG = \"0\"/RESTRICT_SYSLOG = \"1\"/g" /etc/csf/csf.conf

    See csf

  • Block Country in CSF firewall

    CSF firewall can block all traffic from a country or list of countries using the GeoIP database.

    To block a country, edit the file

    /etc/csf/csf.conf

    Find

    CC_DENY=""

    Replace with

    CC_DENY="2_LETTER_COUNTRY_CODE"

    Here is an example to block all traffic from China

    CC_DENY="CN"

    If you want to block another country, you can add it like

    CC_DENY="CN,RU"

    Now restart CSF firewall with

    csf -r

    See CSF firewall

  • Disable IP Block Alerts in CSF Firewall

    To disable IP block alert in CSF firewall, run

    sed -i "s/LF_PERMBLOCK_ALERT\s*=.*$/LF_PERMBLOCK_ALERT = \"0\"/g" /etc/csf/csf.conf

    Restart lfd and csf

    systemctl restart lfd
csf -r

    See csf firewall

  • How to Block a Country in CSF firewall

    To block all traffic from a country in CSF Firewall edit file /etc/csf/csf.conf

    vi /etc/csf/csf.conf

    Find the line

    CC_DENY = ""

    In this line, you can add 2 Letter country code. For example to block China and Russia, add

    CC_DENY = "CN,RU"

    Now you need to restart firewall with command

    systemctl restart lfd
csf -r

  • firewall

    https://opnsense.org

  • Unban an IP from CSF Firewall

    Unban an IP from CSF Firewall

    To unban an IP from CSF firewall, run

    csf -dr IP_ADDR

    Here i have an IP blocked in firewall.

    [root@server22 ~]# iptables -L -n | grep 13.224.29.193
DROP       all  --  13.224.29.193        0.0.0.0/0           
LOGDROPOUT  all  --  0.0.0.0/0            13.224.29.193       
[root@server22 ~]#

    To see if CSF is blocking the IP, run

    csf -g IP_ADDR

    Example

    This command also give reason for why the IP is blocked.

    Lets unban the IP address with command

    csf -dr IP_ADDR

    Now IP should not be listed in iptables, verify it with

    iptables -L -n | grep IP_ADDR

    csf